Another Hole Found in Just-Plugged Safari for Windows

Yet another security hole has been found in the newly released Apple Safari for Windows beta, not even a day before Apple released patches for a host of vulnerabilities found within hours of launching the beta. This one, posted by security researcher Robert Swiecki, lets attackers steal a cookie or fill the browser window with arbitrary content, or both.

Swiecki, posting to Bugtraq, says the flaw is in the JavaScript window.setTimeout() implementation. The security researcher tested the vulnerability with Apple Safari 3.0 on Windows 2003 SE SP2.

Polish hacker Michal Zalewski was taken aback by the vulnerability's duh factor. Responding to Swiecki's bug report, he said: "... all other recently reported problems aside, seeing this, I can only askwhich rock did Safari developers hide under for the past 8 years or so? I mean ... this is the type of a flaw you probably no longer even to test for because it seems too obvious'ping -l 65510' of the browser world..." (The ping Zalewski refers to is aka the "ping o' death," a means to easily crash, reboot or otherwise tamper with a large number of systems by sending a ping of a certain size from a remote machine. It has been well-known since at least 1997.)

Apple hasn't yet replied regarding whether this issue has been taken care of in its just-released Safari Beta 3.0.1, which patches flaws found earlier in the week.

Apple's Safari browser for Windows beta, introduced on June 11 at the Apple Worldwide Developers Conference and touted as being "designed ... to be secure from day one," turned out to have three DoS (denial of service) flaws, two memory corruption bugs, one command execution vulnerability and two remote code execution bugs right off the bat.

Within hours of its release, one of those vulnerabilities had been weaponized by Errata's Dave Maynor, and security researcher Thor Larholm had posted proof-of-concept code of a command execution vulnerability.

Larholm praised Apple for the fast turnaround on the security fix. "I want to congratulate Apple for fixing a serious security vulnerability in such a short time frame. Their usual response time can be counted in weeks to months. When I e-mailed them about the vulnerability it took them 2 days to even respond, which only happened after I asked for a non-automated reply. When I filed a bug on the WebKit tracker, bug 1481, nothing happened for a day except that some guy from 'gentlyusedunderwear.com' added himself to CC."

But he also noted that he expects variations on the vulnerability to pop up "pretty soon," given that some characters are still being passed to external URL protocol handler applications.

The update Safari Beta 3.0.1 for Windowscovers three security issues, all of which can lead to systems getting hijacked by remote attackers via arbitrary code injection or cross-site scripting.

One of the flaws is a command injection vulnerability. An attacker can trigger an exploit by luring a victim to a maliciously crafted Web page. It doesn't affect Mac OS X but could cause the browser to quit.

The second flaw could also be triggered by visiting a rigged site. This one is an out-of-bounds memory read issue that doesn't affect Mac OS X systems.

The third bug also involves visiting a malicious site where cross-site scripting awaits. It concerns a race condition. The malicious site may allow access to JavaScript objects or the execution of arbitrary JavaScript in the context of another Web page. Mac OS X systems are impervious to this issue.

The patched betas are available here for download, or via the "Apple Software Update" application, which is installed with the most recent version of QuickTime or iTunes on Windows.

The patched Safari for Windows XP or Vista file is named "SafariSetup.exe." Safari+QuickTime for Windows XP or Vista is named "SafariQuickTimeSetup.exe."